ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.

What are we doing here? Let’s implement the below set-up,

clamscan

The main target is to have something to detect Malicious code/virus signatures/malware in an most efficient way possible without using any paid software/services.

Quickly jumping on to the implementation part,

Installation of Clamav on CentOS:

yum install clam* ( if this works then directly GoTo Set-up step)

OR

http://www.md3v.com/install-clamav-on-centos-6-0

http://datlinux.blogspot.com.au/2013/03/how-to-install-clamav-on-linux-centos.html

Set-up on Web-Server/Email Servers:

  • root@bt [~]# mkdir /root/clam-scan-project
  • root@bt [~]# vi /etc/cron.monthly/add-signatures.sh

Copy and paste the below code,

##Script starts from here##

file=/root/clam-scan-project/current.txt
if [ -f $file ];
then
wget -O /root/clam-scan-project/hosts.txt http://www.malwaredomainlist.com/hostslist/hosts.txt
cat /root/clam-scan-project/hosts.txt | col -b >> /root/clam-scan-project/host.txt
diff -I ‘^#’ /root/clam-scan-project/current.txt /root/clam-scan-project/host.txt | grep “^>” | grep -v localhost | awk ‘{ print $3 }’ >> /root/clam-scan-project/add-domains.txt
if [ -s /root/clam-scan-project/add-domains.txt ];
then
for i in $(cat /root/clam-scan-project/add-domains.txt)
do
x=$(echo $i | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
echo “$i:0:*:$x” >> /root/clam-scan-project/signatures.ndb
done
fi
else
wget -O /root/clam-scan-project/hosts.txt http://www.malwaredomainlist.com/hostslist/hosts.txt
cat /root/clam-scan-project/hosts.txt | col -b >> /root/clam-scan-project/host.txt
for i in $(cat /root/clam-scan-project/host.txt | grep -v “^#” | awk ‘{ print $2 }’ | grep -v localhost)
do
x=$(echo $i | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
echo “$i:0:*:$x” >> /root/clam-scan-project/signatures.ndb
done
fi
echo “<center><h1><i>Clam-Scan</i></h1></center>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<b><i>Clam-Scan Result using Default DB</i></b>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<i>Updating Clam AV database</i>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
freshclam –no-warnings >> /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<font color=”red”>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
clamscan –exclude-dir=mail -ir /home/* –log /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “</font>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/default-db-summary.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/default-db-summary.log
echo “<b>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “</b>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<HR ALIGN=”LEFT” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
echo “<b><i>Clam-Scan Result using Custom DB</i></b>” >> /root/clam-scan-project/custom-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
echo “<font color=”red”>” >> /root/clam-scan-project/custom-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-db-summary.log
clamscan -d /root/clam-scan-project/signatures.ndb –exclude-dir tmp –exclude-dir log –exclude-dir mail–exclude-dir tmp –exclude-dir log –exclude-dir mail –exclude-dir virtfs -ir /home/* –log /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-db-summary.log
echo “</font>” >> /root/clam-scan-project/custom-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/custom-db-summary.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/custom-db-summary.log
echo “<b>” >> /root/clam-scan-project/custom-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-db-summary.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-db-summary.log
echo “</b>” >> /root/clam-scan-project/custom-db-summary.log
if [ -d /root/clam-scan-project/customsig.ndb ];
then
echo “<br>” >> /root/clam-scan-project/custom-sig.log
echo “<b><i>Clam-Scan Result using signature server DB</i></b>” >> /root/clam-scan-project/custom-sig.log
echo “<br>” >> /root/clam-scan-project/custom-sig.log
echo “<font color=”red”>” >> /root/clam-scan-project/custom-sig.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-sig.log
clamscan -d /root/clam-scan-project/customsig.ndb –exclude-dir tmp –exclude-dir log –exclude-dir mail–exclude-dir tmp –exclude-dir log –exclude-dir mail –exclude-dir virtfs -ir /home/* –log /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-sig.log
echo “</font>” >> /root/clam-scan-project/custom-sig.log
echo “<br>” >> /root/clam-scan-project/custom-sig.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/custom-sig.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/custom-sig.log
echo “<b>” >> /root/clam-scan-project/custom-sig.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-sig.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/custom-sig.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-sig.log
echo “</b>” >> /root/clam-scan-project/custom-sig.log
cat /root/clam-scan-project/default-db-summary.log /root/clam-scan-project/custom-db-summary.log /root/clam-scan-project/custom-sig.log >> /root/clam-scan-project/clam-scan-result.log
else
cat /root/clam-scan-project/default-db-summary.log /root/clam-scan-project/custom-db-summary.log >> /root/clam-scan-project/clam-scan-result.log
fi
rm -f /root/clam-scan-project/current.txt
mv /root/clam-scan-project/host.txt /root/clam-scan-project/current.txt
rm -f /root/clam-scan-project/hosts.txt
(echo -e “From: clam-scan@domain.com \nTo: mailid@domain.com \nCc:emailid@domain.com,emailid@domain.com \nMIME-Version: 1.0 \nSubject: Clam-Scan on $HOSTNAME \nContent-Type: text/html \n”; cat /root/clam-scan-project/clam-scan-result.log) | sendmail -t
rm -f /root/clam-scan-project/default-db-summary.log
rm -f /root/clam-scan-project/custom-db-summary.log
rm -f /root/clam-scan-project/clam-scan-result.log
rm -f /root/clam-scan-project/summary.log
mv -f /root/clam-scan-project/add-domains.txt /root/

##Script Ends here##

  • Once you run the script you’ll see two files inside /root/clam-scan-project

root@bt [~/clam-scan-project]# ls
./ ../ current.txt signatures.ndb
root@bt [~/clam-scan-project]#

Set-up on main signature server:

  • [root@bt ~]# vi signature_creation.sh

##Script starts here##

i=$1
touch /root/customsig.ndb

if [ -s /root/add-by-users.txt ];
then

for files in $(cat /root/add-by-users.txt)
do
x=$(echo “$files” | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
y=$(echo “$files” | head -c 2048)
echo “$y:0:*:$x” >> /root/customsig.ndb
done
else
echo “No arguments supplied”
exit
fi

##script Ends here##

[root@bt~]# cat add-by-users.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Trojan.exe\4fiveVirus
[root@bt ~]#

  • The above script will add something like below in custom.ndb,

[root@bt ~]# cat customsig.ndb

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
Trojan.exe\4fiveVirus:0:*:54726f6a616e2e6578655c34666976655669727573

[root@bt ~]#

Execution of Script:

[root@bt ~]# clamscan -d /root/customsig.ndb eicar.txt
eicar.txt: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*.UNOFFICIAL FOUND

———– SCAN SUMMARY ———–
Known viruses: 2
Engine version: 0.97.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.005 sec (0 m 0 s)

  • copy the customsig.ndb from signature server to webserver

Location on Web-Servers: /root/clam-scan-project/

Report from Web-Servers:

report1

report2

Cheers!!!!